The Expanding Definition Of PII

“Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Carla Holtze, CEO and co-founder of Parrable.

What does personally identifiable really mean? For as long as I can remember, personally identifiable information (PII) basically meant email address, telephone number and postal address.

Everyone in the advertising technology world built their platforms based on the notion that PII was essentially radioactive. Until recently, an ad tech platform could consider itself a long way toward the goal of being privacy safe by simply keeping PII off of its platform.

That is, until regulators and policymakers began taking a broad view of PII.

For the past several years, privacy professionals in the digital media space have feared that the definition of personally identifiable would expand to include IP address, cookie ID and mobile ad IDs, such as Apple’s IDFA. Unfortunately, such fears are being confirmed in several places.

For example, the European Union just ratified its new General Data Privacy Regulation that specifically defines pseudonymous identifiers such as an IP address as personal data. And in the US, the Federal Communications Commission’s recent notice of rulemaking takes a similarly broad definition of PII.

I also participated in a recent event where a senior official at the Federal Trade Commission (FTC) took the stage to explain that it too had gradually moved toward a broad definition of personally identifiable.

Moving The Goal Posts

Maybe we need to rethink privacy standards, as many of them were written a long time ago.

But if the FTC and others are now changing their tune, and if all information collected is now considered personally identifiable, how does a good ad tech platform comply with the NAI Code? And perhaps more importantly, is there still an incentive for ad tech companies not to collect email addresses and telephone numbers?

Some of my industry colleagues have suggested that ad tech might as well start collecting everything – maybe even Social Security numbers. I respectfully disagree.

There are privacy-enhancing benefits to limiting ad tech to pseudonymous information.

Why are certain pseudonymous identifiers considered personally identifiable? If we can better understand the rationale for declaring certain data points as PII, perhaps we can find a solution that addresses those concerns.

Their analysis may be summarized as follows: Some IP addresses may be used by some companies, such as Internet service providers, as personal data. In other words, an Internet service provider may know that a particular IP address corresponds to a particular subscriber account number. Thus, an IP address should also be considered personal data to anyone because anyone could theoretically get to the physical address with the help of the Internet service provider.

Following the logic, one can make the same argument about the mobile operating system advertising IDs. If IDFA #123 corresponds in Apple’s systems to bill@hotmail.com, anyone theoretically could get to bill@hotmail.com via IDFA #123 with the help of Apple.

To their credit, Apple and Internet service providers have demonstrated that they are unwilling to assist companies to re-identify subscribers. But no matter, the fact that they might be able to facilitate re-identification seems to be enough.

Are All IDs The Same?

So does that mean that any pseudonymous identifier has to be treated like personal data? Maybe not. If one could use a cookie ID that wasn’t connected to an IP address, that might be viewed as more privacy-safe because it would be impossible – not just improbable – for the cookie ID to be used to identify someone.

There are a few things that might help ad tech companies continue to provide ad delivery and reporting in a pseudonymous way without regulators jumping to claim that the collected information is PII. First, identifiers should be resettable by the user, which is an area where Apple and Google have led the way. Second, identifiers should not be linked to personally identifiable information without user consent.

These steps are crucial for any ad tech company that seeks to stay out of the PII world. Hopefully, regulators and policymakers will agree. The alternative seems downright, well, Orwellian.